MANILA, Philippines – A zero-day exploit on iOS and OS X may reportedly allow hackers to break through Apple’s password management system and app passwords, stealing them in the process.

The flaw was revealed in an academic paper released by researchers from Indiana University, Peking University and the Georgia Institute of Technology, and discussed on The Register.

The researchers were able to upload malware to Apple’s app stores, which passed the company’s vetting processes. When installed, the malware attacks the keychain, or password management system, to steal passwords. Such stolen passwords would include those on Mac services like iCloud and the Mail app, as well as passwords stored within Google Chrome.

The Register said lead researcher Luyi Xing and the team complied with Apple’s request to withhold publication of the research for 6 months, but did not hear back as of the time of writing.

Xing added, “We completely cracked the keychain service – used to store passwords and other credentials for different Apple apps – and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps.”

Users should exercise caution when downloading apps from unknown developers, even when on the iOS and Mac app stores. Users should also be alert if an app asks you to log in manually, when the keychain usually handles the login on your behalf. – Rappler.com

Hacker or malware concept image from Shutterstock